The vast majority of federal agencies created policies to secure their employees’ mobile devices, but many people don’t follow the rules when it comes to smartphones, according to a report.

In a recent survey, roughly three-quarters of federal IT and cybersecurity experts told researchers employees downloaded unauthorized apps to their work phone despite policies against doing so. More than 70 percent said employees “often” connect personal devices to government WiFi while at work and almost half said people send work documents to their personal email accounts, both of which are prohibited by many agencies.

While participants said some type of mobile security strategy is in place at 96 percent of federal agencies, more than 60 percent reported experiencing a security incident that involved mobile devices, the report found.

Market Cube conducted the survey on behalf of mobile security group Lookout last year between Oct. 22 and Nov. 8. The report is based on the perspectives of 200 government IT and cybersecurity specialists.

“Despite the fact that over half of government agencies are experiencing security events via the mobile device, many are still ill-equipped to handle these incidents,” said Lookout researchers. They attributed the lack of preparedness to employees not following cybersecurity rules and agencies not fully understanding how to combat current mobile cyber threats.

In addition to employees failing to follow best practices when it comes to keeping mobile devices secure, researchers also found cybersecurity guidelines are inconsistent across government.

Roughly half of federal agencies bar employees from downloading unapproved apps on work devices, and only 54 percent require people to lock those devices with a PIN or passcode. Furthermore, only 35 percent of agencies prohibit employees from connecting work devices to non-government WiFi, and just 51 percent call on employees to update the software on their devices in a timely manner.

Feds have begun revisiting policies for mobile devices in recent months amid a handful of high-profile security incidents. In January, the Trump administration banned all personal electronics from the White House citing security concerns, and Defense Secretary James Mattis is reportedly considering prohibiting people from bringing cell phones into the Pentagon in the wake of the Strava data dump.

“We believe that agencies don’t have to ban mobile devices to actually gain good security,” researchers said. Keeping operating systems up-to-date, shoring up devices against malware and other threats, and improving cybersecurity education for employees would help curb future cyber risks, they said.